v0.27.0-rc2

buildkit 0.27.0-rc2

Welcome to the v0.27.0-rc2 release of buildkit!
This is a pre-release of buildkit

Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.

Contributors

• Tõnis Tiigi
• CrazyMax
• Sebastiaan van Stijn

Notable Changes

• Fix error return when requesting attestation from non-index image #6473
• Fix possible "digest not found" error when fetching attestation chain due to missing lease #6464

Dependency Changes

• github.com/sirupsen/logrus v1.9.3 -> v1.9.4

Previous release can be found at v0.27.0-rc1

v0.27.0-rc1

Welcome to the v0.27.0-rc1 release of buildkit!
This is a pre-release of buildkit

Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.

Contributors

• Tõnis Tiigi
• CrazyMax
• Akihiro Suda
• Sebastiaan van Stijn
• Justin Chadwell
• Jonathan A. Sternberg
• David Karlsson
• Dawei Wei
• Natnael Gebremariam
• Aleksandr Karpinskii
• Amr Mahdi
• Brian Goff
• Joyal George K J
• Matt Coster
• Roberto Villarreal
• Rodolfo Carvalho
• Silvin Lubecki
• Tiger Kaovilai

Notable Changes

• Built-in Dockerfile frontend has been updated to v1.21.0-rc1
• This is a first version of BuildKit with signed release images and artifacts built using Docker Github Builder
• Allow convert decisions from Session Source Policy implementations #6427
• Github Cache backend now support optional signed cache that is cryptographically verified on import #6397
• Provide a gateway interface for reading container filesystems during builds #6262
• Push registry remote cache blobs in parallel for faster uploads #6455
• Cache attestation chain pull-through responses for better performance #6435
• Allow custom AuthConfig providers in client #6408
• Surface policy deny messages in build errors #6458
• Fix Git 2.52 support for matching some error conditions #6452
• Expose the build reference in exporter buildinfo #6424
• Improve expired keys handling in Git signature verification #6412
• Cache gateway forwarder mounts and deduplicate snapshot responses #6387
• Remove development gateway frontend options in favor of build-contexts #6350
• Prevent status stream from closing too early by using an inactivity timeout #6396
• Recover from history.db corruption #6371
• Fix xattr copy failures on SELinux systems #6015
• Fix Windows copy operations around protected files #6369
• Fix possible race condition in gateway bridge forwarder #6355
• Fix concurrency in source policy evaluation to prevent parallel panics #6448

Dependency Changes

• cyphar.com/go-pathrs v0.2.1 new
• github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.2 -> v1.20.0
• github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.11.0 -> v1.13.1
• github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 -> v1.6.0
• github.com/asaskevich/govalidator a9d515a09cc2 new
• github.com/aws/aws-sdk-go-v2 v1.38.1 -> v1.39.6
• github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.0 -> v1.7.2
• github.com/aws/aws-sdk-go-v2/config v1.31.3 -> v1.31.20
• github.com/aws/aws-sdk-go-v2/credentials v1.18.7 -> v1.18.24
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.4 -> v1.18.13
• github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.4 -> v1.4.13
• github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.4 -> v2.7.13
• github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 -> v1.8.4
• github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.4 -> v1.4.12
• github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 -> v1.13.3
• github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.4 -> v1.9.3
• github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.4 -> v1.13.13
• github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.4 -> v1.19.12
• github.com/aws/aws-sdk-go-v2/service/s3 v1.87.1 -> v1.89.1
• github.com/aws/aws-sdk-go-v2/service/sso v1.28.2 -> v1.30.3
• github.com/aws/aws-sdk-go-v2/service/ssooidc v1.34.0 -> v1.35.7
• github.com/aws/aws-sdk-go-v2/service/sts v1.38.0 -> v1.40.2
• github.com/aws/smithy-go v1.22.5 -> v1.23.2
• github.com/blang/semver v3.5.1 new
• github.com/cloudflare/circl v1.6.0 -> v1.6.1
• github.com/containerd/cgroups/v3 v3.1.0 -> v3.1.2
• github.com/containerd/containerd/v2 v2.2.0 -> v2.2.1
• github.com/containerd/fuse-overlayfs-snapshotter/v2 v2.1.6 -> v2.1.7
• github.com/containerd/nydus-snapshotter v0.15.4 -> v0.15.10
• github.com/cyberphone/json-canonicalization 19d51d7fe467 new
• github.com/cyphar/filepath-securejoin v0.6.0 new
• github.com/digitorus/pkcs7 3a137a874352 new
• github.com/digitorus/timestamp 220c5c2851b7 new
• github.com/docker/cli v28.5.0 -> v29.1.4
• github.com/docker/docker-credential-helpers v0.9.3 -> v0.9.5
• github.com/go-openapi/analysis v0.24.1 new
• github.com/go-openapi/errors v0.22.4 new
• github.com/go-openapi/jsonpointer v0.22.1 new
• github.com/go-openapi/jsonreference v0.21.3 new
• github.com/go-openapi/loads v0.23.2 new
• github.com/go-openapi/runtime v0.29.2 new
• github.com/go-openapi/spec v0.22.1 new
• github.com/go-openapi/strfmt v0.25.0 new
• github.com/go-openapi/swag v0.25.3 new
• github.com/go-openapi/swag/cmdutils v0.25.3 new
• github.com/go-openapi/swag/conv v0.25.3 new
• github.com/go-openapi/swag/fileutils v0.25.3 new
• github.com/go-openapi/swag/jsonname v0.25.3 new
• github.com/go-openapi/swag/jsonutils v0.25.3 new
• github.com/go-openapi/swag/loading v0.25.3 new
• github.com/go-openapi/swag/mangling v0.25.3 new
• github.com/go-openapi/swag/netutils v0.25.3 new
• github.com/go-openapi/swag/stringutils v0.25.3 new
• github.com/go-openapi/swag/typeutils v0.25.3 new
• github.com/go-openapi/swag/yamlutils v0.25.3 new
• github.com/go-openapi/validate v0.25.1 new
• github.com/go-viper/mapstructure/v2 v2.4.0 new
• github.com/google/certificate-transparency-go v1.3.2 new
• github.com/google/go-containerregistry v0.20.6 new
• github.com/grafana/regexp a468a5bfb3bc new
• github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 -> v2.27.3
• github.com/in-toto/attestation v1.1.2 new
• github.com/klauspost/compress v1.18.1 -> v1.18.2
• github.com/moby/go-archive v0.1.0 -> v0.2.0
• github.com/moby/policy-helpers bcaa71c99f14 -> 9fcc1a9ec5c9
• github.com/oklog/ulid v1.3.1 new
• github.com/opencontainers/runtime-spec v1.2.1 -> v1.3.0
• github.com/opencontainers/runtime-tools 0ea5ed0382a2 -> edf4cb3d2116
• github.com/opencontainers/selinux v1.12.0 -> v1.13.1
• github.com/prometheus/otlptranslator v0.0.2 new
• github.com/prometheus/procfs v0.16.1 -> v0.17.0
• github.com/sigstore/protobuf-specs v0.5.0 new
• github.com/sigstore/rekor v1.4.3 new
• github.com/sigstore/rekor-tiles/v2 v2.0.1 new
• github.com/sigstore/sigstore v1.10.0 new
• github.com/sigstore/sigstore-go ...

dockerfile/1.21.0-rc1-labs

Usage

# syntax=docker.io/docker/dockerfile-upstream:1.21.0-rc1-labs

dockerfile/1.21.0-rc1

Usage

# syntax=docker.io/docker/dockerfile-upstream:1.21.0-rc1

Notable changes

• This is a first version of Dockerfile frontend with signed release images built using Docker Github Builder
• Allow skipping Dockerfile linter checks with a per-command comment #6334
• Strip heredoc shebang whitespace before parsing Dockerfile frontends #6402
• Fix CopyIgnoredFile linter rule ignoring negating matches #6356

v0.26.3

Welcome to the v0.26.3 release of buildkit!

Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.

Contributors

• Sebastiaan van Stijn
• Jonathan A. Sternberg
• Tõnis Tiigi

Notable Changes

• Fix session policy metadata resolution for git attributes and image attestations #6383

Dependency Changes

• github.com/containernetworking/plugins v1.8.0 -> v1.9.0

Previous release can be found at v0.26.2

v0.26.2

Welcome to the v0.26.2 release of buildkit!

Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.

Contributors

• CrazyMax
• Tõnis Tiigi

Notable Changes

• Fix possible error when uploading big files to S3 cache exporter #6373

Dependency Changes

This release has no dependency changes

Previous release can be found at v0.26.1

v0.26.1

Welcome to the v0.26.1 release of buildkit!

Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.

Contributors

• Tõnis Tiigi

Notable Changes

• Fix excessive chunking when fetching blobs #6366

Dependency Changes

This release has no dependency changes

Previous release can be found at v0.26.0

v0.26.0

buildkit 0.26.0

Welcome to the v0.26.0 release of buildkit!

Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.

Contributors

• Tõnis Tiigi
• CrazyMax
• Akihiro Suda
• Sebastiaan van Stijn
• Jonathan A. Sternberg
• Brian Goff
• Dawei Wei
• Alberto Garcia Hierro
• Damon Holden
• David Karlsson
• Justin Chadwell
• Mikhail Dmitrichenko
• bpascard

Notable Changes

• Change how file checksum is calculated when wildcards and include/exclude patterns are involved to better align with how they are calculated in the non-wildcard path. #6238
• LLB Copy operation now allows specifying required paths to be included in the copy. #6229
• Fixed race condition between cache and snapshot for the Git source. #6281
• Fixed race condition in HTTP cache key digest computation that could cause duplicate requests and digest mismatch errors. #6292
• Runc container runtime has been updated to v1.3.3. #6331
• Source metadata requests via ResolveSourceMeta, previously available for image sources, can now be performed for Git sources. This can be used to resolve Git commit and tag checksums and also to access the raw commit and tag objects for further verification. #6283
• Source metadata requests via ResolveSourceMeta, previously available for image sources, can now be performed for HTTP sources. This can be used to access artifact checksums, last-modified time etc. #6285
• Git sources can now perform verification of GPG or SSH signatures on commits and tags. Enable git signature checks via source policy. #6300 #6344
• contentutil package now supports moving referrer objects when using CopyChain function. #6336
• Fix fetch by commit for git source when tags change or branch names are updated. #6259
• Fix http connection leak when resolving metadata from http source on non-2xx HTTP status codes. #6313
• A new type of source policies has been added that supports making policy decisions on the client side via session tunnel. #6276
• Add buildkit capability for detecting if source policy decisions can be made via session tunnel. #6345
• Avoid intermediate type wrappers for custom fields in provenance. #6275
• Add raw commit/tag object access when resolving git source metadata. #6298
• Move image source resolver away from the ResolveImageConfig type to ResolveSourceMetadata. #6330 # probably not needed for changelog
• Fix inline cache used with multiple exporters. #6263
• Fix handling multiple inline cache exporters configured for single build. #6272
• Fix handling of annotated Git tags. The pin of the annotated tag should be the SHA of the tag and not the commit it is pointing to. #6251
• Fix source policy attributes validation when multiple rules use the same identifier. #6342

Dependency Changes

• github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 -> v1.18.2
• github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 -> v1.11.0
• github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 -> v1.11.2
• github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2 -> v1.4.2
• github.com/Microsoft/hcsshim v0.13.0 -> v0.14.0-rc.1
• github.com/ProtonMail/go-crypto v1.3.0 new
• github.com/aws/aws-sdk-go-v2 v1.30.3 -> v1.38.1
• github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.3 -> v1.7.0
• github.com/aws/aws-sdk-go-v2/config v1.27.27 -> v1.31.3
• github.com/aws/aws-sdk-go-v2/credentials v1.17.27 -> v1.18.7
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 -> v1.18.4
• github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.8 -> v1.17.10
• github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 -> v1.4.4
• github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 -> v2.7.4
• github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 -> v1.8.3
• github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.15 -> v1.4.4
• github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 -> v1.13.0
• github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.17 -> v1.8.4
• github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 -> v1.13.4
• github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.15 -> v1.19.4
• github.com/aws/aws-sdk-go-v2/service/s3 v1.58.2 -> v1.87.1
• github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 -> v1.28.2
• github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 -> v1.34.0
• github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 -> v1.38.0
• github.com/aws/smithy-go v1.20.3 -> v1.22.5
• github.com/cenkalti/backoff/v5 v5.0.3 new
• github.com/cloudflare/circl v1.6.0 new
• github.com/containerd/cgroups/v3 v3.0.5 -> v3.1.0
• github.com/containerd/containerd/api v1.9.0 -> v1.10.0
• github.com/containerd/containerd/v2 v2.1.4 -> v2.2.0
• github.com/containerd/go-cni v1.1.12 -> v1.1.13
• github.com/containerd/nydus-snapshotter v0.15.2 -> v0.15.4
• github.com/containerd/platforms v1.0.0-rc.1 -> v1.0.0-rc.2
• github.com/containerd/stargz-snapshotter v0.16.3 -> v0.17.0
• github.com/containerd/stargz-snapshotter/estargz v0.16.3 -> v0.17.0
• github.com/containernetworking/plugins v1.7.1 -> v1.8.0
• github.com/coreos/go-systemd/v22 v22.5.0 -> v22.6.0
• github.com/docker/cli v28.4.0 -> v28.5.0
• github.com/fatih/color v1.18.0 new
• github.com/go-logr/logr v1.4.2 -> v1.4.3
• github.com/gofrs/flock v0.12.1 -> v0.13.0
• github.com/golang-jwt/jwt/v5 v5.2.2 -> v5.3.0
• github.com/golang/groupcache 41bb18bfe9da -> 2c02b8208cf8
• github.com/google/pprof 27863c87afa6 -> f64d9cf942d6
• github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 -> v2.27.2
• github.com/hanwen/go-fuse/v2 v2.6.3 -> v2.8.0
• github.com/hashicorp/go-retryablehttp v0.7.7 -> v0.7.8
• github.com/hiddeco/sshsig v0.2.0 new
• github.com/klauspost/compress v1.18.0 -> v1.18.1
• github.com/mattn/go-colorable v0.1.14 new
• github.com/moby/policy-helpers bcaa71c99f14 new
• github.com/moby/sys/capability v0.4.0 new
• github.com/opencontainers/runtime-tools 2e043c6bd626 -> 0ea5ed0382a2
• github.com/prometheus/client_golang v1.22.0 -> v1.23.2
• github.com/prometheus/client_model v0.6.1 -> v0.6.2
• github.com/prometheus/common v0.62.0 -> v0.66.1
• github.com/prometheus/procfs v0.15.1 -> v0.16.1
• github.com/secure-systems-lab/go-securesystemslib v0.6.0 -> v0.9.1
• github.com/stretchr/testify v1.10.0 -> v1.11.1
• github.com/vbatts/tar-split v0.12.1 -> v0.12.2
• go.opentelemetry.io/auto/sdk v1.1.0 -> v1.2.1
• go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 -> v0.61.0
• go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.60.0 -> v0.61.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 -> v0.61.0
• go.opentelemetry.io/otel v1.35.0 -> v1.38.0
• go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.35.0 -> v1.38.0
• go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.35.0 -> v1.38.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 -> v1.38.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc...

dockerfile/1.20.0-labs

Usage

# syntax=docker.io/docker/dockerfile-upstream:1.20.0-labs

dockerfile/1.20.0

Usage

# syntax=docker.io/docker/dockerfile-upstream:1.20.0

Notable changes

• The --security flag for RUN instructions is now generally available. This flag was previously available under the labs channel. #6312
• The --parents flag for COPY instructions is now generally available. This flag was previously available under the labs channel. #6282
• Add support for converting a dockerfile to the LLB contents using a subrequest. Use buildx build --call=convertllb . for this functionality. #6295